BASIC question, but still having conceptual issues

Gary Gatten Ggatten at waddell.com
Wed Aug 26 22:58:18 CEST 2009 

Sorry again for the BASIC question!  I *occasionally* slam people on
other lists for being .... well, basically helpless - and here I am
asking what I think is a really stupid question!  Humble pie anyone?

Let me take a sec to thank the development team for a very flexible
product!  Seems you can do pretty much anything you'd ever need to!  Did
Ci$co steal your code for ACS 5.0? :)    Once I familiarize myself with
the in's and out's I hope to contribute to the community where I can,
probably with docs, use cases, examples, etc.

Now my current issue.  I have read a lot of doc (some 3 and 4 times) and
am close to getting my head around how FR works and the various process
flow, however, I still can't determine the best way to address this
problem:

I have several different type's of clients/NAS's that will be using FR
as the Front End to perform AAA - mostly Authentication, but the Author
and Acct are close behind.

Anyway, each of these clients need to perform slightly different backend
queries to determine if Authenticate should pass or fail:

Type 1: Networking Hardware Management Access (VTY)
	- Routers, switches, VPN concentrators, firewalls, etc.
	- Auth pass if creds are good AND user is member of NetEng group
in AD; else fail

Type 2: IPSec VPN Access
	- RAS to HQ via IPSec (Ci$c0 ASA at HQ)
	- Several profiles/groups will exist on ASA with different
properties:
		- NetEng, SysAdmins, Basic Users, etc.
	- Auth pass if creds are good AND user is member of "RAS" group
in AD

Type 3 ... etc.


So, how do I go about this?  I'm currently using NTLM_Auth and that's
all working fine, I'm just not sure how to say in FR config: if request
of type 1, run this NTLM_Auth command and check for this group; If
request of type 2 run this other NTLM_Auth command and check for this
other group.

Would this be something in the huntgroup file?

TIA for replies - back to more reading and trials for me!

Gary






<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

More information about the Freeradius-Users mailing list